regulations, standards, or frameworks

Non-Regulatory

• Does not require an organization to be complaint to a specific standard.

• An organization can simply follow best practices.

Frameworks

• A framework is a structure for an organization.

• Frameworks are recommended best practices which enables an organization to efficiently manage their resources.

Compliance

• Many organizations are required to be compliant to various industry standard to conduct business.

• Failure to be compliant can mean loss of reputation for the business, fines and penalties, and even loss of sales and customers.

• Compliance ensure a business is meets a set of rules policies and regulations.

• There are compliance for various industries such as:

  • Financial

  • Health

Payment Card Industry Data Security Standard (PCI DSS)

Center for Internet Security (CIS)

• Basic CIS Controls ranges from 1 -6.

• Foundational CIS Controls ranges from 7 - 1.

• Organizational CIS Controls ranges from 17 - 20.

NIST Cybersecurity Framework (CSF)

National Institute of Standards and Technology (NIST)

The five Functions included in the Framework Core are:

Core

The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.   The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

Tiers

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Profiles

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.  Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.

(Taken from https://www.nist.gov/cyberframework/getting-started)

NIST Risk Management Framework (RMF)

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA). 

(Taken from https://csrc.nist.gov/projects/risk-management)

International Organization for Standardization (ISO)

• 27001 - Information security management systems

• 27002 - Code of practice for information security controls

• 27701 - Privacy information management

• 31000 - Risk management

SSAE SOC 2 Type I/II

Cloud security alliance

Cloud control matrix

Reference architecture

Benchmarks /secure configuration guides

• Platform/vendor-specific guides

• Web server

• OS

• Application server

• Network infrastructure devices

General Data Protection Regulation (GDPR)

• Outlines how an organization should protect Personally Identifiable Information (PII) and the privacy data of any customers of the European Union (EU).

• The data controller is responsible for determining how data should be processed.

• The data processor manages the role of the data controller.

Sarbanes-Oxley (SOX)

• Public Company Accounting Reform and Investor Protection Act.

• This Act is used to hold corporate CEOs responsible for their organization's  financial statement and prevent fraud.

• Protects Whistleblowers

Health Insurance Portability and Accountability Act (HIPAA)

• Protection of data within the health industry.

• Patient records are keep confidential.

• Defines how data is stored, use and transmitted.

Gramm-Leach Bliley Act (GLBA)

• Outlines the disclosure of privacy information within Financial originations.

COBIT

• Created by ISACA.

• Control Objectives for Information and Related Technologies.

• Defines how an organization should manage their risk and how to align the IT objectives to the business goals.

Information Technology Infrastructure Library (ITIL)

• Focuses on IT Service Management and ISO 20,000.

• Defined the 5 phase of IT services: Service Design, Service Transition, Service Operation, Service Strategy and Continual Service Improvement.